New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Suggestion] Workaround for apps detect bootloader unlocked through hardware attestation #252
Comments
It's cryptographically impossible to spoof hardware attestation because it's signed with keys private to TrustZone/StrongBox, leaving vulnerabilities in the TEE or StrongBox firmware as the only option. This would be considered an actual security vulnerability in the firmware that would be patched quickly by the relevant vendor, not a simple bypass, so there's no reason to blow it on bypassing app limitations instead of reporting it to Google/Qualcomm. |
so no way to make CIB banking app works ? |
yes |
Meanwhile, they can ignore Safetynet / Play Integrity result, and get the status from hardware attestation if your device has it. Broken TEE, Self-signed or unlocked will be considered suspicious traces and bypass Safetynet can be meanless. |
But the question was whether we can
to prevent bank apps from intercepting such signals independent of Play Integrity API etc... I know MHPC originally used the "not implemented" error code from Keymaster "to simulate... an old device lacking support for key attestation"... (It now uses Zygisk "to inject code into the Play Services process and register a fake keystore provider" causing gms to throw an exception when attempting to use key attestation that effectively simulates the same failure condition resulting in a fall back to basic attestation) I wonder if that initial approach (in combination with some prop based device simulation?) might have better convinced bank apps that hardware key based attestation is actually 'not implemented' rather than tampered ... |
Yes you can, my Xposed module bypass CIB hardware attestation: https://github.com/swer45/AttestationSpoofer |
I tried it, but not working, tried keyattestation and cib , I've oneplus 7 pro |
FYI - it seems to fail in latest CIB v4.2.37 @swer45 |
Nope it's working. |
thanks bro |
Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass.
We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk.
https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US
As we know, we can't spoof hardware attestion.
It's time to spoof no hardware attestion or find another way around it?
Hope you will take a look!
The text was updated successfully, but these errors were encountered: